Hackers Successfully Shut Down “Critical Infrastructure” in an Unprecedented Attack

Hackers, who researchers have said were possibly working for a nation-state, recently targeted an unnamed critical infrastructure site, causing operational outage. Security investigators and researchers said that the attackers halted plant operations by using a malware to target systems.

In its report, security firm FireEye wrote the attack was targeted at Triconex from Schneider Electric – the technology is used for industrial safety. The company website advertises the technology as a complete solution for process safety – offering systems and software for emergency shutdown, fire and gas control, high-intensity pressure management, and other life critical checks. Schneider has also acknowledged the attack that appears to be targeted and has alerted all its consumers that use this technology.

The malware that is being called TRITON (for its attack on Triconex) appears to be specifically designed to cause physical damage to this unnamed critical infrastructure plant/site since it was hitting the site’s safety system. Hackers first took control of a workstation running Triconex safety shutdown system and tried to reprogram controllers that are used to identify potential safety issues. During this some of the controllers entered a fail safe mode, causing some processes to shut down, and prompting the asset owner to initiate an investigation.

Alerts have been issued by several governments this year warning of cyberattacks on critical infrastructure sites, however, this is possibly the first report of a targeted attack on a safety system at an industrial plant. While a possible first attack on safety control system that disrupted the operations, attackers have previously targeted electric grids in Ukraine, not to forget the US- and Israel-powered Stuxnet that was used to target Iran’s nuclear facilities.

“Of note, on several occasions, we have observed evidence of long term intrusions into ICS which were not ultimately used to disrupt or disable operations,” FireEye wrote. “For instance, Russian operators, such as Sandworm Team, have compromised Western ICS over a multi-year period without causing a disruption.” This paints an even darker picture as most countries/companies don’t even get to know about unauthorized access until operations are disrupted.

If history is prologue, more attackers will now start looking into the possibilities. “This is a watershed,” Sergio Caltagirone, head of threat intelligence at Dragos, said. “Others will eventually catch up and try to copy this kind of attack.”